Overview
overview
10Static
static
3VMM.zip
windows7-x64
7VMM.zip
windows10-2004-x64
1Data.exe
windows7-x64
1Data.exe
windows10-2004-x64
1Setup.exe
windows7-x64
5Setup.exe
windows10-2004-x64
10iepdf32.dll
windows7-x64
3iepdf32.dll
windows10-2004-x64
3indecorum.tiff
windows7-x64
3indecorum.tiff
windows10-2004-x64
3plugins/Co...st.dll
windows7-x64
1plugins/Co...st.dll
windows10-2004-x64
1plugins/Np...er.dll
windows7-x64
1plugins/Np...er.dll
windows10-2004-x64
1plugins/Np...rt.dll
windows7-x64
1plugins/Np...rt.dll
windows10-2004-x64
1plugins/mi...ls.dll
windows7-x64
1plugins/mi...ls.dll
windows10-2004-x64
1rubadub.odp
windows7-x64
1rubadub.odp
windows10-2004-x64
1updater/GUP.exe
windows7-x64
1updater/GUP.exe
windows10-2004-x64
6updater/LICENSE
windows7-x64
1updater/LICENSE
windows10-2004-x64
1updater/README.md
windows7-x64
3updater/README.md
windows10-2004-x64
3updater/enco.exe
windows7-x64
6updater/enco.exe
windows10-2004-x64
6updater/gup.xml
windows7-x64
1updater/gup.xml
windows10-2004-x64
1updater/libcurl.dll
windows7-x64
1updater/libcurl.dll
windows10-2004-x64
1Analysis
-
max time kernel
146s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 06:52
Static task
static1
Behavioral task
behavioral1
Sample
VMM.zip
Resource
win7-20240319-en
Behavioral task
behavioral2
Sample
VMM.zip
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Data.exe
Resource
win7-20240220-en
Behavioral task
behavioral4
Sample
Data.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral5
Sample
Setup.exe
Resource
win7-20240215-en
Behavioral task
behavioral6
Sample
Setup.exe
Resource
win10v2004-20240319-en
Behavioral task
behavioral7
Sample
iepdf32.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
iepdf32.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral9
Sample
indecorum.tiff
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
indecorum.tiff
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
plugins/Config/nppPluginList.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
plugins/Config/nppPluginList.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral13
Sample
plugins/NppConverter/NppConverter.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
plugins/NppConverter/NppConverter.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral15
Sample
plugins/NppExport/NppExport.dll
Resource
win7-20240220-en
Behavioral task
behavioral16
Sample
plugins/NppExport/NppExport.dll
Resource
win10v2004-20231215-en
Behavioral task
behavioral17
Sample
plugins/mimeTools/mimeTools.dll
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
plugins/mimeTools/mimeTools.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral19
Sample
rubadub.odp
Resource
win7-20240319-en
Behavioral task
behavioral20
Sample
rubadub.odp
Resource
win10v2004-20240226-en
Behavioral task
behavioral21
Sample
updater/GUP.exe
Resource
win7-20240221-en
Behavioral task
behavioral22
Sample
updater/GUP.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral23
Sample
updater/LICENSE
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
updater/LICENSE
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
updater/README.md
Resource
win7-20240221-en
Behavioral task
behavioral26
Sample
updater/README.md
Resource
win10v2004-20231215-en
Behavioral task
behavioral27
Sample
updater/enco.exe
Resource
win7-20240215-en
Behavioral task
behavioral28
Sample
updater/enco.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral29
Sample
updater/gup.xml
Resource
win7-20240221-en
Behavioral task
behavioral30
Sample
updater/gup.xml
Resource
win10v2004-20240226-en
Behavioral task
behavioral31
Sample
updater/libcurl.dll
Resource
win7-20240221-en
Behavioral task
behavioral32
Sample
updater/libcurl.dll
Resource
win10v2004-20240226-en
General
-
Target
Setup.exe
-
Size
8.7MB
-
MD5
480f8cf600f5509595b8418c6534caf2
-
SHA1
dc13258ebb83bdf956523d751f67e29d6e4cf77e
-
SHA256
6d8905ec0b1dfdc0a10d1cce40714ddd73205a09ad390b933ddbecdcf06a4cf2
-
SHA512
f0bd99f68d59e80538fb276945d0f383394cb94a35c6d12ebd3e87061222249f78b9ca75716b33e36b66842b97c71149612111fcb6a8a3bc3a97635b03934aaf
-
SSDEEP
196608:Ywdj1UbkCchr3rlFE8GCWhKUzGZ3gRTFHnBz58//o:Yw91Ubkxhr3rlFHWhKUzGZ3gRTFhzi/o
Malware Config
Extracted
lumma
https://kitchenreviewbewrwsa.shop/api
https://birdpenallitysydw.shop/api
https://cinemaclinicttanwk.shop/api
https://disagreemenywyws.shop/api
https://speedparticipatewo.shop/api
https://fixturewordbakewos.shop/api
https://colorprioritytubbew.shop/api
https://abuselinenaidwjuew.shop/api
https://methodgreenglassdatw.shop/api
Signatures
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 636 set thread context of 3616 636 Setup.exe 97 -
Loads dropped DLL 1 IoCs
pid Process 208 RunDll.exe -
Suspicious behavior: EnumeratesProcesses 7 IoCs
pid Process 636 Setup.exe 636 Setup.exe 636 Setup.exe 3616 netsh.exe 3616 netsh.exe 3616 netsh.exe 3616 netsh.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 636 Setup.exe 3616 netsh.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 636 Setup.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 636 wrote to memory of 3616 636 Setup.exe 97 PID 636 wrote to memory of 3616 636 Setup.exe 97 PID 636 wrote to memory of 3616 636 Setup.exe 97 PID 636 wrote to memory of 3616 636 Setup.exe 97 PID 3616 wrote to memory of 208 3616 netsh.exe 108 PID 3616 wrote to memory of 208 3616 netsh.exe 108 PID 3616 wrote to memory of 208 3616 netsh.exe 108 PID 3616 wrote to memory of 208 3616 netsh.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\Setup.exe"C:\Users\Admin\AppData\Local\Temp\Setup.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:636 -
C:\Windows\SysWOW64\netsh.exeC:\Windows\SysWOW64\netsh.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3616 -
C:\Users\Admin\AppData\Local\Temp\RunDll.exeC:\Users\Admin\AppData\Local\Temp\RunDll.exe3⤵
- Loads dropped DLL
PID:208
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3908 --field-trial-handle=2148,i,1752153415760610784,11376271161549019716,262144 --variations-seed-version /prefetch:81⤵PID:968
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.5MB
MD52afa1e9e48736a687ac1d81386e96954
SHA10635590a90d33bc15a38548bb4b566bd0bb450a9
SHA256f340c791a9408118ac69c07bd71df107b57142e4a351b13ac84ccf7c51800e3e
SHA5125365a5a00931796a8251eecc3be320c7a5bbab641cac38efa9a75d952ea70cc97251a74c85d966bc9633efb7ce178291361fdea788a0221c55780386529db340
-
Filesize
3.6MB
MD5726444379dbb621f5f117a2605425be1
SHA11700e8c51b39a8000bb41ee8b25940a6962c305b
SHA256a642496f090ca7c54dc57e9ae6f5fe65b3a233dcdf7a2b734f58be23a388b1e9
SHA51228f04eef12ae8d58dd67d956a1bcce0fc3dad579105c4be19432cb902b89977ffb8f9ac85506ce9461582276cd4c5c7be476016c4d9cf3f67bf7f1674c5cd267